Site News  |   Monitor Keywords  |   Monitor Archive  |   Organizer  |   Account Info  |

Method and apparatus for detecting computer fraud

The present invention generally relates to information technology, and, more particularly, to a method and apparatus for detecting computer fraud.

When a user receives an e-mail or other communication which appeals to contain a link to web site “A,” but is redirected to an impersonated version of web site “A,” the user is said to be the subject of a web site “phishing” attack Users would like to know whether a site that they are visiting is a well-known, legitimate site, or a site that looks like a legitimate site but is not located at the same location as the expected legitimate version of the web site.

A user may initiate a transfer of a web page into a browser by typing the URL, following a link, following a link embedded in an email or an instant messaging session, or via a redirect from another page. As a result, the browser will resolve the protocol to be used to look up the destination page, contact the domain name system (DNS) to resolve the destination host, connect to the internet protocol (IP) address named by the DNS look-up, download the page content, render the page and simultaneously execute any embedded scripts where appropriate. The content of this page can be forged in many ways.

There are known browser tool bars that merely extract the uniform resource locator (URL) from the web browser and normalize it to present to the user the effective site to which he or she is connected. While this may eliminate attacks in which a URL overfills the browser location window by reducing the site name, it does not solve the problem in which two very similar-looking domain names are being used. Since the information about effective sites is fairly coarse, it is possible for an attacker to get a closely looking domain name in the same geography (e.g. United States) and then try to confuse such phishing detectors. Furthermore, with increasing globalization, it is quite likely, for example, that a legitimate site for a U.S.-based bank is located in another country such as, for example, India or Brazil, which makes for several false alarms. Using the known techniques, the user would still be lead to believe that he or she is contacting the correct web site. The known techniques rely on the user to check the domain name for every visited web site. Furthermore, the known techniques only extract the information delivered in the actual URL, and therefore, these techniques are not safe in the case of DNS poisoning attacks, in which the actual domain names are forced to resolve to a subverted site IP address that is different from the target that the user intended when he or she typed the name into the browser location bar.

It would thus be desirable to overcome the limitations in previous approaches.

Principles of the present invention provide techniques for detecting computer fraud. An exemplary method (which can be computer-implemented) for detecting computer fraud, according to one aspect of the invention, can include steps of obtaining a text version of a candidate destination and a graphical rendering of the candidate destination, comparing the text version and graphical tendering of the candidate destination with a corresponding text version and a corresponding graphical rendering of a stored destination, and generating a fraud warning if the graphical rendering of the candidate destination is substantially similar to the graphical rendering of the stored destination while the text version of the candidate destination differs substantially from the corresponding text version of the stored destination.

In one aspect of the invention, the candidate destination and stored destination are represented as URLs. Also, in another aspect of the invention, the techniques for detecting computer fraud are automatically executed upon loading a web page associated with a candidate destination. The techniques may also be executed by using a button that is shown to a user in at least one of a window and a status bar external to a browser window associated with the candidate destination. Furthermore, in another aspect of the invention, a fraud warning may be generated via a visual prompt displayed to a user in at least one of a window and a status bar external to a browser window associated with the candidate destination. In yet another aspect of the invention, the candidate destination is identified as clean if all determined organizations match to a corresponding stored organization and if the stored organization is not substantially similar to another organization ranked as more popular in a database. The candidate destination is identified as unknown if visual cues can not be matched to an organization, but for which the candidate destination coincides with a visual URL and destination unlikely to be a phishing destination.

In an embodiment of the invention, an exemplary method of generating a database, or white-list, of destinations to be protected against computer fraud can include the steps of generating at least one category of destinations to be protected, and retrieving at least one list of destinations belonging to the at least one category. In one aspect of the invention, the step of retrieving at least one list of destinations belonging to the at least one category comprises obtaining a first list of destinations and a second list of destinations, and merging the first and second lists of destinations. Also, in another aspect of the invention, the retrieving step comprises accessing an Internet search engine and/or accessing an Internet indexing service.

At least one embodiment of the invention can be implemented in the form of a computer product including a computer usable medium with computer usable program code for performing the method steps indicated Furthermore, at least one embodiment of the invention can be implemented in the form of an apparatus including a memory and at least one processor that is coupled to the memory and operative to perform exemplary method steps.

At least one embodiment of the invention may provide one or more beneficial technical effects, such as, for example, detecting computer fraud when the candidate or phishing entity comprises a domain name that is very similar-looking to that of an intended or stored entity. Also, at least one embodiment of the invention may provide the beneficial effect of detecting computer fraud in situations in which an intended domain name is forced to resolve to a candidate or phishing destination that is different from the target that a user intended when the user typed the name into the browser location bar.

These and other objects, features and advantages of the present invention will become apparent from the following detailed description of illustrative embodiments thereof, which is to be read in connection with the accompanying drawings.

FIG. 1 is a flow diagram illustrating an exemplary method for detecting computer fraud, according to one aspect of the invention;

FIG. 2 is a block diagram illustrating an exemplary system that can execute an exemplary method for detecting computer fraud, according to another aspect of the invention;

FIG. 3 is a flow diagram illustrating an exemplary method for generating a database of destinations to be protected against computer fraud, according to yet another aspect of the invention; and

FIG. 4 is a system diagram of an exemplary computer system on which at least one embodiment of the present invention can be implemented.